US Cloud soon illegal in EU? US punches first hole in EU-US Data Deal
137 comments
·February 6, 2025mrtksn
progbits
Google could do this easily, there are whitelabel GCP offerings run by EU companies already:
https://cloud.google.com/t-systems-sovereign-cloud?hl=en
Hardware, personnel and all access is EU company. Google can provide updates they have to manually review and install, and provides support.
It's pretty niche now but if demand grows more providers will spin up the same thing.
mrtksn
That will probably work as long as it yields the desired results.
It would be fine if ends up like this: https://a.dropoverapp.com/cloud/download/b053fcd7-4635-4508-...
belorn
The trend in EU is to tighten up regulation to the point where the achieved goals occurs fairly slow and steady. The goals are also not about ownership (there is no country called Europe, so what would it even mean?), but rather that the data and control remain within the jurisdiction of EU law and then ratified by each country.
The results so far has been that most large companies has local legal presence within Europe, EU data centers, EU specific contracts with customers, and recently EU specific features in applications. It basically salami-tactics. Part of this strategy is also to use the court system to enforce specific aspects, like how part of GDPR is just now getting enforced after a case in March in 2024 by EDPS. The case initiated in 2021, GDPR was written 2016, so it also illustrate the pace. In the time between 2016 and now there are multiple new regulations, and those will also take time before they are fully enforced.
mrtksn
I don't know about the hidden intentions but it appears that its time to switch the cutting style from salami to ribeye or arms and legs.
>here is no country called Europe, so what would it even mean?
Soon there will be, they are creating the 28th regime which is essentially a virtual country with a jurisdiction designed for speedy bureaucracy. I hope they do a good job with the implementation of the idea.
jkaplowitz
I get your comparison to the TikTok ban, but not even noyb is questioning the legality of transfers outside the EU to countries in general, whether pursuant to an European Commission adequacy decision or pursuant to Standard Contractual Clauses.
The problem is specifically that US law and policy will make both of those options unviable to guarantee the rights GDPR requires with respect to transfers to the US, once noyb gets the EU courts to state this clearly enough and invalidate the Commission’s adequacy decision for businesses which participate in the EU-US Data Privacy Framework. (In the meantime, EU companies are allowed to rely on that decision.)
There are several non-EU countries with adequacy decisions whose validity nobody is questioning, including Canada, New Zealand, and the UK. Many more countries can adequately be handled through Standard Contractual Clauses. The problem is very US-specific.
mrtksn
I mean look, the details may vary but the core holds. The businesspeople running EUs communications are directly involved with the openly hostile US government and directly try to influence politics and create rage with the European public.
The current open markets model is not working, time to copy from the success stories: Ban foreign ones or force them to become local.
The current politicians are still in denial but as things deteriorate things will have to happen. Unlike US, European politics are not just two parties having about the same support.
Things can get very spicy very quickly. You think the anti-establishment ones are pro-American? The most pro-American politicians are those in power or those who recently lost power to the anti-establishment.
Pretty much non of the anti-establishent are pro-American(with the exception of UK with Farage) and with Musk targeting Farage I'm sure they took a note on how transactional their relationship with the US anti-establishment is.
TeMPOraL
Whichever factions and sentiments gain power in the EU, there's only so much they can do before hitting the major factor that's usually not spelled out explicitly in polite company, but generally understood: the US has nukes and aircraft carriers. We don't - or at least not enough to replace US in the role it plays in Europe's security.
I hope they won't be crazy enough to just bludgeon through that anyway, as past that, hic sunt dracones.
belter
Maybe AWS knew this. In China they already operate under a different company.
"AWS plans to invest €7.8 billion into the AWS European Sovereign Cloud " - https://www.aboutamazon.eu/news/aws/aws-plans-to-invest-7-8-...
"...The AWS European Sovereign Cloud will provide customers the capability to meet stringent operational autonomy and data residency requirements within the European Union (EU), with infrastructure wholly located within the EU and operated independently from existing Regions. The AWS European Sovereign Cloud will allow customers to keep all customer data and the metadata they create (such as the roles, permissions, resource labels, and configurations they use to run AWS) in the EU..."
mrtksn
EU tried hard to guarantee open markets through rules based security but this is now out of fashion. Instead, the new game is to close your markets to foreigners and say its for national security reasons.
This might be bad for the citizens as it is limiting and breaking the global humanity ideal and I hate it that this is happening but EU must be really stupid to have the only open market then get ridiculed for not having "global" tech companies.
As it appears, the world going forward would be like the Chinese "tech" will be for 1.4B people, the US "tech" will be to 330M people and the EU "tech" will be for 450M people.
At this time, because you can access the EU market form US you can just form your business in US and hire people from EU to do the work. If EU imposes limits, suddenly it makes sense to invest in EU.
If you think about it, EU+UK+Asia taxpayers educate most of the "US talent". Very few of the people who invented the tech are US educated, the US educated ones tend to be the money guy or the entrepreneur free riding on foreign tax money.
Time to end the EU subsidies to US companies or maybe impose tariffs to make up for it. US is being very bad for EU, doing very nasty stuff.
Maken
Do not forget the Indian "tech" for another 1.4B people. They are also placing restrictions on how Indian's data is handled on the cloud.
robertlagrant
> EU must be really stupid to have the only open market then get ridiculed for not having "global" tech companies
I'm not sure how these are related. The EU has far less money than the US for speculative, big payoff investments, to my knowledge. That's why there's less chance of creating new companies (and new markets) compared to the US.
d1sxeyes
Yeah, they'll all just set up new opcos in the EU to carry on doing business, rather than actually selling up.
WJW
The goal of such regulation would be to reduce the amount of influence US tech billionaires can exert over the EU. Any regulation would be written with that in mind, so an opco which would still be controlled from the US is not in line with that goal. At the very least, regulation could enforce that any opcos (more joint ventures at that point) would be at least 51% owned and operated by EU entities.
pandemic_region
> What if EU gives a year to American cloud providers to sell their companies to a European owner?
Well "liberty" will appear on our doorstep rather quickly, to free those clouds from the oppressive EU regime of course.
juliangmp
> Thousands of EU businesses, government agencies or schools rely on these provisions. Without the TADPF, they would need to stop using US cloud providers like Apple, Google, Microsoft or Amazon instantly.
Please God let this happen
Gazoche
There’s no way this will happen any time soon.
I work at a billion-dollar EU company that’s balls deep in Azure after a very, very long migration away from on-prem datacenters.
Cutting off US-based cloud providers would be chaos of biblical proportions.
zurn
Does this use case involve US data transfer? Azure seems to have invested quite a lot into implementing EU data residency.
josefx
They will just write up a new deal, which will be legal until it is declared illegal by a court after half a decade of litigation. Rinse, repeat. This has been going on for ages already.
anonzzzies
Half a decade being 4 years minus a month right? When everything gets rolled back as usual.
harha
This would be incredibly funny to follow. Fax machines and mainframes would make an impressive return, as Europe moves even more towards a more relaxed pace.
anonzzzies
Mainframes wouldn't be that bad; give me a mainframe client (we have a few) any day over a 'move fast break things we now use the latest wasm kubernetes micro nano services backplane react liveview fiber cloud' crap that somehow breaks literally every day, even without deploying.
Maken
Jokes aside, I would rather have mainframes than Windows and cloud services everywhere in public administrations.
harha
Fully with you on dropping Windows, and I don’t think cloud really has positive ROI vs building or hosting in a lot of cases. There are a lot of good cases though, scaling, access etc.
IrezaH
The EU economies were better in the early 1990s, before all this unnecessary Windows, cloud nonsense, social networks etc. invaded.
The US exports hot air and gets real goods in return.
egorfine
Yeah, I too had better personal life back in the day when MS-DOS was the main operating system for the common people and offices.
inexcf
Thanks for making me chuckle. You call it a return of fax machines. You would have some fun looking into German government offices.
amarcheschi
Tbh some alternatives are popping up, such as lidl having a cloud division that offers services similar to aws
I just hope that if it happens, it's a very gradual rollout and not a hard one
thomasz
No, Europe will not go back to the Stone Age. US services will be substituted for somewhat shittier European services. That’s how it goes. On average, everyone will be worse of. The European customer loses, US tech loses, European tech wins.
I’m somewhat surprised about this kind of gleeful condescension in this particular forum, of all places.
robertlagrant
I would be pretty happy if the EU ploughed a load of money into a FOSS office suite on an ongoing basis.
myrmidon
I think this is essentially the exact same approach as the "bring back US electronics/heavy industry"-- you subsidise a sector (either directly, via regulation or tariffs). This can have positive outcomes (crisis tolerance, less reliance on international trade), but all those jobs that it brings, are basically paid for fully by additional costs for taxpayers/consumers (and there are also negative side effects on other sectors).
I think this is currently in vogue globally (both sides of the political spectrum), but its important to remember that we had good reaons to stop doing this in the past (or at least scale it down to absolutely vital sectors like agriculture).
homarp
I'll take a hezner and ovh cloud.
But you are right, we might have to use SAP instead of siebel and peoplesoft
pjmlp
Nah, we would get fine with SuSE Linux and Jolla.
Cthulhu_
That makes me think, would Linux, having been made in Finland originally, fall under an export restriction if it came to that? I mean it's open source and thus can no longer be contained but still, interesting thought experiment in what would happen if linux was no longer allowed to be used from one day to the next.
infthi
One can already access AI with fax. What else would one need?
yread
We would just all switch to sqlite running on hetzner's dedis
sam_lowry_
And we will spend 100x times less on infra, nourish our own industry and redirect the money to the improvement of our electrical grid and local subsidies.
I am all for it.
As someone working for the public administration I've long been worried about the decline of skills of IT workers here in Europe. It is especially flagrant in email infrastructure.
Since we are offshoring email to Microsoft for a long time already, we totally forgot how to manage email internally for the few cases when we still need it.
rsynnott
Hetzner Maximalism.
ChemSpider
In my main job we provide SaaS services. We get more and more requests for "EU located" services.
A new trend I see is that some customers even rule out using EU located servers that are owned/run by US companies (such as the AWS Dublin or Franfurt locations).
croes
Of course they do. Because of the CloudAct the location of the server doesn’t matter.
A US company has to give access to the data on their servers to the authorities no matter where the servers are located.
They can go to court to prevent it but aren’t allowed to inform their customer.
That violates EU law on multiple levels.
dathinab
Also EU daughter companies of US tech giants are still legally EU companies (owned by US companies) legally they have to strictly comply with EU law and it matters shit what US law says (from the EU legislative POV) so this puts them into a huge problem spot.
tzs
An EU company, even if it is owned by a US company, would not be subject to the Cloud Act and so should not find itself on the spot. The Cloud Act applies to whoever owns the data on the server, not to whoever owns the server.
Here's the situation it was designed to deal with. You've got a US company that has some documents. Law enforcement gets a subpoena requiring the company to turn over copies of those documents.
If the company has used some third party cloud storage provider to store those documents it has to retrieve them. It does this using the exact same procedure it would use if it was retrieving the documents for its own use. To the cloud storage provider this is just a routine data retrieval of a customer's data by the customer.
As far as I know if someone outside the EU buys cloud storage from an EU cloud storage provider, stores some files there, and later retrieves those files the EU provider will not get in trouble if that customer later did something with the files that would not be legal in the EU.
I'd be surprised if most countries don't have something equivalent. For example when German prosecutors were investigating VW after VW's emissions test cheating came to light if they had used whatever the German equivalent of a subpoena is to ask for copies of the emission system source code, would VW have been able to say "Sorry, we've got those in a private Github repository which happens to be hosted outside of the EU, so we can't get them for you"?
I suspect that the only reason the US actually had to have something like the Cloud Act and others don't is because only in the US could you have actually had a chance to succeed in saying that you cannot be compelled to turn over a document that you control and can legally retrieve at any time just because you happen to have it currently stored somewhere that the compelling government does not have jurisdiction over.
foepys
Didn't Microsoft argue this in a US court and lost?
croes
It’s a problem without solution. That have to break one side’s law.
yibg
How would that even work if fully enforced? Are there even enough EU owned cloud and SaaS services to fill in for all the US owned ones?
belorn
What is the time span until it need to be fully enforced? Regulations are rarely if ever instantaneous. For the industry I work in (domain name, hosting, email, and similar services), you start to hear about it when they are being drafted, when they are about to be voted on, when they have been voted on, when it get ratified, when they get a date for when they are going to start being enforced, and once they are being enforced there is a generally a grace period of getting into compliance.
For a lot of stuff this is process that takes 10+ years. A fairly large step is the time between a EU regulation being created and when the same law is ratified by each country, and the span between those two events where the government seeks input from the industry on how to implement the regulation.
rsynnott
At present, no, of course not. No company maintains surplus capacity sufficient to absorb its competitors' business if they withdraw from or are excluded from the market. You'd assume in practice there'd have to be a transition period, during which the likes of Hetzner would be... busy.
(More likely, there's another round of negotiation, and some new bandaid solution is produced; not like it's the first time. No-one, or almost no-one, really _wants_ this to break down entirely; the fallout would be widespread.)
It does seem reasonable to expect that the rate of companies moving stuff out of US-based infrastructure providers will increase, though; the whole thing is very fragile.
michaelt
According to [1] "Synergy Research Group data indicated that since early 2017, the collective market share of European cloud players including SAP, Deutsche Telekom, OVHcloud, Telecom Italia, Orange has dropped from 27% to just 13% in their home territory. In the past year alone, their share has dropped around two percentage points. In contrast, Amazon, Google and Microsoft now account for 72% of the regional market."
Doing without would be extremely painful in the short/medium term.
Of course if you could instead force AWS to sell the EU arm of their business, that would be a different matter...
[1] https://www.fierce-network.com/cloud/european-cloud-players-...
jsnell
A lot of people here seem to be interpreting "Cloud" as as "public Cloud infrastructure provider". Note that this isn't just a question of AWS, Azure and GCP. It's about any kind of hosted services. So it would also apply to things like Dropbox, Slack, Gmail, WhatsApp, iCloud, etc.
(But it also wouldn't be a ban on personal use of such services, as long as the user consents. It'd "just" be very hard to use those services in business or government.)
yearesadpeople
pjmlp
Interesting site, needs more categories, like European Linux distributions for example, like SuSE and Jolla.
dguest
I'll take the risk that I'm missing a joke here and ask something very ignorant about linux.
Why would you need a regional linux distribution? The base is all open source, and I'm guessing the merges originate from everywhere in the world.
pjmlp
> I'm guessing the merges originate from everywhere in the world.
That is exactly the issue, when globalisation comes to an end as we are seeing it.
Why do you think many nations are already having their distro?
Naturally they aren't the kind of countries we would like to live on, but apparently we should not source all key infrastructure components from a country that is turning into 1984 as well.
fergie
It already is in practice. You can't legally use cloud services for "red" (personal information) or "black" (national security) data in most jurisdictions.
Some organizations that are deeply invested in a given tech provider do it anyway, but this is gradually going away.
seper8
Absolutely false for most European countries. Most of them are on at least some version of Office365 and many on Azure as well.
askonomm
I was pretty sure that Azure in Europe is using EU data centers or something of the like for its users data, is that not the case?
sam_lowry_
It's complicated.
Belgium has its own government cloud but its office infrastructure is on M365.
The Netherlands have nothing of their own.
EU institutions are migrating full-speed on AWS and M365.
blueflow
True for Germany but their color scheme is different.
belter
But then they use Microsoft Office....
tomtomistaken
EU should make a own cloud storage (hosted in the EU) giving every citizen 10GB of base storage after applying for it. Cloud is critical infrastructure. Besides, that would lift also the favorability of the EU.
moogly
Maybe CERN could run it.
sam_lowry_
That would be a better use of public money than building a successor to LHC.
paganel
Why in God's name would I share my personal data with the authorities here in the EU?
Euphorbium
Rather share it with the authorities in China and the US?
cudgy
Is it not more secure or at least less risky to share with foreign country that has no recourse?
immibis
US no, but a lot of people do actually choose to share their personal data with China instead of their own country. The reason being: their own country can use it to persecute them, but what would China possibly do with it?
dns_snek
The average person uses a big cloud provider already and I don't think they particularly care if it's Google Drive, iCloud, or "EU Cloud". All 3 are susceptible to the same searches by the authorities.
If you're concerned about that, you use your own E2EE anyway.
christophilus
Or anywhere else, for that matter. My data is my own. Court warrant or gtfo.
Euphorbium
Why 10GB? Why not 10TB?
jc_811
Worth noting that there is a European company (I believe headquartered in Sweden) whose mission is to build an EU-first cloud to compete with the large US offerings.
Evroc[1] is their name and I’ve been following them for a few years now. They raised a large amount in 2023 [2] and looks like they’ve just broken ground on land to build a data center just last week [3]
Very curious on how this will work for them and I plan on following their journey very closely. Any EU-based cloud engineers should apply to join!
[2] https://sifted.eu/articles/evroc-plans-e600m-investment
[3] https://www.datacenterdynamics.com/en/news/swedens-evroc-acq...
sam_lowry_
> build an EU-first cloud to compete with the large US offerings
Oh come on! There are so many options in the EU to choose from, already. That none of them has the complexity of AWS is a feature, not a bug.
pjmlp
Followed by OS, could not have those backdoors there.
Finally it is going to be the year of SuSE Linux Desktop, and Jolla.
Maybe we could have a second coming of Nokia N900 as well.
askonomm
Heyyy, I quite liked Symbian OS! And if this means that Linux would finally work on hardware other than Thinkpads from 20 years ago, I say heck yeah (Out of the box I mean, having to become an expert linux afficionado to be able to make its x11/wayland/xwayland clusterfuck to work does not count as working)!
Havoc
Given how unreliable the US is becoming a bit of distance might not be a bad thing.
leowoo91
FYI, there is already a type of deployment called "sovereign cloud" where data exports are controlled by the country and already under works by major providers.
Gravityloss
One thing is a bit unclear here. US headquartered cloud providers have physical data centers in EU. Would this also prevent EU businesses from using those?
pyrale
Yes. US law says in no uncertain terms that the us government can demand anything from its companies, including breaking the law in foreign countries. And that was before big tech decided to collude with an administration who doesn’t care about the law.
For US companies to be in the clear, they would have to split their EU subsidiaries in such a way that the US branch could not access their EU operations or ship new patches, and would not have operational oversight.
dathinab
Technically they also have EU daughter companies operating this services etc. this are legally seen EU companies and have to strictly comply with EU law no matter what US law says.
But US law like cloud act is a broad overreach of US law into other countries.
Which puts them into a tough spot where there parent company has to comply with US law and give US access to their EU daughter company but their daughter company must not allow them such access at all and if they would use technical means to get it anyway it would be legally no different then a cyberattack....
croes
That was their trick to circumvent the Patriot Act.
But then came the CloudAct and the location doesn’t matter anymore.
You do business in the US, you have to provide the data.
rustc
And what about EU headquartered cloud providers that have servers in the US like Hetzner?
Juliate
It's not the physical location of data that matters, it's the authority and control over the infrastructure and the data it holds.
In other words, if a US authority has any say on what's running/hosted in data centers in EU, it's a no go for more and more businesses and administrations.
belter
If you use AWS in Europe your invoice is from Amazon Luxembourg...
preisschild
The Parent company is still the US based Amazon though, which can direct Amazon Luxembourg and falls under US laws.
belter
Yes. What I mean is that they could sell it to somebody else, as it is already a separate corporate entity.
What if EU gives a year to American cloud providers to sell their companies to a European owner?
It's important to learn from the best. Considering the election meddling efforts from agents directly from within the US government who are also owner of large media and AI companies the only reasonable outcome would be either sell those companies to EU owners or guarantee exclusion from EU markets for national security reasons.